The Data of 80,000 Transavia Passengers Was Breached in a Cyberattack

Transavia Data Breach

If you think about the procedures you go through when you're organizing even mundane activities like air travel, you might suddenly realize how often you need to hand over your data and how little you know about what happens to it. Even if you prefer to book tickets in person and pay for them in cash, you still need to give the airline your personal information. The employee on the other side of the desk enters it somewhere, and in most cases, you are given absolutely no information on where it goes and how it's stored. Unfortunately, as about 80 thousand customers of Transavia can now testify, if you do hear about how your data is processed, it's usually because it's been put at risk.

Hackers accessed the personal and flight data of thousands of Transavia customers

On Monday, Transavia, a low-cost Dutch airline, admitted that it has suffered a data breach. The notification was sent to all 80 thousand passengers that were affected, and although it didn't say when the attack took place, it disclosed what sort of information was involved. The hackers managed to get their hands on names, dates of birth, booking numbers, flight data, and special requirements. The airline was quick to point out that the crooks didn't access any credit card details, passports, personal information, physical and email addresses, or telephone numbers.

Transavia has apparently finished its investigation and has "no reason to believe" that any of the potentially compromised information has been abused so far. According to the notification, armed with just your name, date of birth, and flight data, the crooks can't cause much damage anyway.

While we do maintain that victims would be the judges of that, we will say that this is far from the worst data breach ever reported. The number of affected individuals is not that huge, and the potentially stolen information is not particularly sensitive. There's a lot more to it than that, though.

Transavia kept passengers' personal information in an employee's inbox for close to five years

The data breach notification is accompanied by a few frequently asked questions, which give us a relatively clear idea of what happened exactly. Apparently, hackers gained "unwanted" access" to the mailbox of one of Transavia's employees, and in there, they found "a file with personal data."

Inside the file, the crooks saw the details of most of the people who flew with Transavia between January 21 and January 31, 2015. For reasons that remain unclear, the passengers that traveled to Egypt, Lapland, and the Canary Islands during the said period were not affected. These details are worrying not just for the people who had their data accessed but also for anyone who has ever traveled with a commercial airplane.

Transavia didn't say how the crooks managed to get into their employee's mailbox, but the fact that this was the initial point of compromise suggests that the victim either used a weak password or was targeted by a phishing attack. It almost certainly means that the email account was not protected with two-factor authentication.

Nobody is immune to cyberattacks, but you can already see some security issues. Worst of all, however, is the fact that the data was stored in the inbox of an email account in the first place. And it was stored there for what could be more than five years.

Transavia clearly made some pretty horrific mistakes in the handling of people's personal information. This doesn't necessarily mean that other airlines are equally negligent, but you'd be hard-pressed to find conclusive evidence that they aren't, especially in light of recent cybersecurity incidents involving companies working in the same industry.

The Transavia data breach is unlikely to have a particularly adverse effect on the people who had their details compromised, but it will hopefully serve as a reminder of how little we know about the companies that are in charge of protecting our information. Unfortunately, in this day and age, there's little you can do about it.

February 27, 2020